Cryptographic method and devices for facilitating calculations during transactions

ABSTRACT

The cryptographic method is used in transactions for which a first entity generates, by means of a private RSA key, a proof verifiable by a second entity by means of a public RSA key associated with said private key. The public key includes an exponent and a module. The first entity generates a first element of proof by a calculation that can be performed independently of the transaction, and a second element of proof related to the first element of proof and which depends on a common number shared by the first and the second entities specifically for the transaction. The second entity verifies that the first element of proof is related, modulo the module of the public key, to a power of a generic number, with an exponent equal to a linear combination of the common number and of a product of the exponent of the public key by the second element of proof.

The invention relates to the technical field of cryptography, and moreprecisely to what is called public key cryptography. In this type ofcryptography, a user owns a pair of keys for a given use. Said pair ofkeys consists of a private key that this user keeps secret and anassociated public key that this user may communicate to other users. Forexample, in the case of a pair of keys dedicated to confidentiality, thepublic key is then used to encipher the data, whereas the secret key isused to decipher it, that is to say to re-establish this data in clear.

Public key cryptography is very widely used insofar as, unlike secretkey cryptography, it does not require the interlocutors to share thesame secret in order to establish a security-protected communication.However, this advantage in terms of security is accompanied by adisadvantage in terms of performance, since public key cryptographymethods, also called “public key schemes”, are often one hundred or onethousand times slower than secret key cryptography methods, also called“secret key schemes”. A very great challenge is therefore to find publickey cryptography methods that can be rapidly executed so as to be ableto use them in resource-limited environments, such as standardmicroprocessor cards, with or without contacts.

Most public key schemes existing at the present time rely on thedifficulty of mathematical problems in the field of arithmetic (or“number theory”). Thus, the security of the RSA (Rivest, Shamir,Adleman) numerical signature and encryption scheme is based on thedifficulty of the problem of factorizing integers: given a very largeinteger (having more than 500 digits) obtained privately by multiplyingtogether two or more prime numbers of comparable size, no effectivemethod exists at the present time for recovering these prime numbers.

Other public key schemes, such as the digital signature scheme describedin patent application FR-A-2 716 058, rely for their security on thedifficulty of what is called the “discrete logarithm problem”. Thisproblem may be expressed in its most general case as follows: let E be aset provided with an operation (i.e. with a function which, having twoelements a and b, associates an element denoted “a.b” or “ab”, andcalled the “product of a and b”), let g be an element of E, let r be alarge integer and let y be the integer defined by: y=g^(r) (that is tosay the product g•g• . . . •g, with g occurring r times); it is thenunfeasible to recover r from g and y. Often the set E used is the set ofintegers modulo n, where n is an integer, a prime number or a numbercomposed of prime numbers.

The invention relates more particularly to the technical field of entityauthentication, also called “identification”, and also that of theauthentication of a message and of its digital signature by means ofpublic key cryptographic techniques. In such methods, the authenticatedentity, called the “prover”, possesses a secret or private key and anassociated public key. The prover uses the secret key to produce anauthentication value or a digital signature. The authenticating entity,called the “verifier”, needs only the public key of the prover to verifythe authentication value or the digital signature.

The field of the invention is more particularly still that of theso-called “zero-knowledge” authentication methods. This means that theauthentication takes place using a protocol which, in a proven manner,reveals nothing about the secret key of the authenticated entity,irrespective of the number of times it is used. From this type of schemeit is known how to deduce, using standard techniques, schemes forauthenticating a message and a digital signature of this message.

The field of the invention is more particularly still that of methodswhose security relies both on the difficulty of the problem offactorizing integers and on the difficulty of the discrete logarithmproblem.

The invention is applicable in any system using public key cryptographyto protect the security of their elements and/or their transactions, andmore particularly in systems in which the number of calculationsperformed by the various parties constitutes, at least for one of them,a critical parameter, either because it does not have available acoprocessor specialized in cryptographic calculations, often called a“cryptoprocessor”, so as to speed up the calculations, or because it iscapable of carrying out a large number of calculations simultaneously,for example in the case of central server, or for any other reason.

A typical application is electronic payment, by bank card or byelectronic purse. In the case of proximity payment, the payment terminalis in a public place, prompting the use of public key cryptographymethods, so as not to store a master key. To reduce the overall costs ofsuch a system, it may be desirable either for the card to be a standardmicroprocessor card, that is to say a card not provided with acryptoprocessor, or for the security-protected microprocessor containedin the terminal itself to be of standard type, or for both of these.Depending on the case and on the cryptographic method adopted, the priorart known at the present time does achieve one or other of theseobjectives, but does not allow both to be easily achievedsimultaneously, while complying with the constraints of the system. Anexample of such a constraint is that the payment shall be effected inless than one second, or even in less than 150 milliseconds in the caseof a contactless transaction, or even in a few milliseconds in the caseof a freeway toll.

The cryptographic method most widely used at the present time is the RSAmethod. It is based on the problem of factorization. This algorithm,standardized in various instances, has become a de facto standard. Itwill remain the predominant algorithm in years to come. Many products,systems and infrastructures, such as PKI (Public Key Infrastructure)infrastructures, have been designed from this algorithm and from theformats of the keys that it uses.

As is known, according to this algorithm the public key consists of apair of integers (n,e) and the private key consists of an integer d. Themodulus n is an integer large enough for it to be unfeasible tofactorize it. An entity A which, alone, holds the private key d, is thesole entity capable of generating an integer W′ equal to a power of theinteger W modulo n with d as exponent, so as to allow any entity Bknowing the public key (n,e) to recover the integer W by raising theinteger W′ to a power modulo n with e as exponent.

In a method using a message signature M, the integer W is generally animage of the message via a function such as a known hash function. Theprover is the entity A, the signature is the integer W′, the verifier isthe entity B which verifies that the integer found, based on thesignature W′, is the image of the message via the known function.

In a method of identification, the integer W generally constitutes achallenge sent by the entity B, which is the verifier. The number W′generated by the entity A, which is the prover, constitutes the responseto this challenge.

In a method of authenticating the message M, the integer W generallyresults from a combination of an image of the message M and of achallenge sent by the verifier consisting of the entity B. The number W′generated by the entity A, which is the prover, constitutes an authenticsignature in response to this challenge.

However, the RSA algorithm has a problem stemming from the large numberof operations to be carried out by the prover or the signer. To carryout a complete calculation in less than one second on a microprocessorcard performing these operations, it is necessary to add acryptoprocessor to the card. However, the fabrication and installationof a cryptoprocessor have a not inconsiderable cost, which increases thecost of the microprocessor card. It is also known that a cryptoprocessorconsumes a large amount of current. Supplying the card via the terminalmay pose technical difficulties in the case of a contactless interface.It is also known that the addition of a cryptoprocessor facilitatesphysical attack by spectral analysis of the current consumed, whichpresents a drawback to which it is difficult to find technicalsolutions. Moreover, even if the card is provided with acryptoprocessor, the calculation may still prove too slow inapplications in which the transaction time needs to be very short, as incertain of the examples mentioned above.

The object of the present invention is to specify public keycryptographic methods such as authentication and digital signaturemethods. More precisely, the object of the present invention is to usethe same keys as the RSA algorithm with a level of security at leastequal to that of this algorithm, while still allowing a large majorityof the calculations to be carried out in advance, which avoids having touse a cryptoprocessor.

Considering a cryptographic method that can be used in a transaction forwhich a first entity generates, by means of an RSA private key, a proofverifiable by a second entity by means of an RSA public key associatedwith said private key, said public key comprising a first exponent and amodulus, the method according to the invention is noteworthy in that:

-   -   the first entity generates a first element of proof, a first        calculation of which, consuming considerable resources, can be        executed independently of the transaction;    -   the first entity generates a second element of proof related to        the first element of proof and dependent on a common number        shared by the first and second entities specifically for the        transaction, a second calculation of which consumes few        resources; and    -   the second entity verifies that the first element of proof is        related through a relationship with a first power modulo the        modulus of a generic number having a second exponent equal to a        linear combination of all or part of the common number and of        the public key first exponent multiplied by the second element        of proof.

The fact that the keys are of the RSA type has the advantage of beingable to use, without any modification, many existing products,developments or infrastructures, such as key production software,descriptions of microprocessor memory regions, public key certificateformats, etc.

Since the first element of proof can be calculated completely or partlyindependently of the transaction, the first entity has the possibilityof carrying out a complex calculation prior to the transaction, whilekeeping the execution of this complex calculation secret in order toguarantee security. Thus, it may be seen that a first entity rapidlygenerates such a first element of proof right from the start of thetransaction without requiring powerful resources, such as those of acryptoprocessor. Only the first entity is then capable of generating thesecond element of proof by relating it to the first element of proof soas to make, through simple operations, the second element of proofdepend on a common number specifically shared by the transaction. Thepossible execution of these simple operations in a short time by thefirst entity avoids slowing down the transaction, while stillmaintaining a high level of security.

Without being limited, the object of the transaction may be to identifythe first entity, to sign a message or to authenticate a message.

In particular, to allow the first entity to be identified:

-   -   the first element of proof is generated by the first entity by        raising the generic number to a second power modulo the modulus        having a third exponent equal to the public key first exponent        multiplied by a random integer kept secret by the first entity;    -   the common number is chosen randomly from within a security        interval and then sent by the second entity after having        received the first element of proof; and    -   the relationship verified by the second entity is an equality        relationship between a power of the first element of proof and        the first power of the generic number.

The complex calculation, the execution of which is kept secret, relatesin this case to the raising to the second power of the generic number inorder to generate the first element of proof. The choice of the commonnumber, chosen at random during the transaction, does not impair thespeed of this transaction.

In particular, in order to allow a message to be signed:

-   -   the first element of proof is generated by the first entity by        applying a standard hash function to the message and to the        generic number raised to a second power modulo the modulus        having a third exponent equal to the public key first exponent        multiplied by a random integer kept secret by the first entity;    -   the common number is equal to the first element of proof; and    -   the relationship verified by the second entity is an equality        relationship between the common number and a result of the        standard hash function applied to the message and to the first        power of the generic number.

The complex calculation whose execution is kept secret relates in thiscase to the raising to the second power of the generic number in orderto generate a potential of proof. The application of the standard hashfunction to the message and to this potential of proof no longerconsumes considerable resources. The first entity may in this casecalculate the potential of proof before the transaction in whichtransmission of the second element of proof and of the first element ofproof equal to the common number shared with the second entity, thenconstitutes transmission of the signature of the message.

In particular, in order to authenticate that a message received by thesecond entity comes from the first entity:

-   -   the first element of proof is generated by the first entity by        applying a standard hash function to the message and to the        generic number raised to a second power modulo the modulus        having a third exponent equal to the public key first exponent        multiplied by a random integer kept secret by the first entity;    -   the common number is chosen at random from within a security        interval and then sent by the second entity after having        received the first element of proof; and    -   the relationship verified by the second entity is an equality        relationship between the first element of proof and a result of        the standard hash function applied to the message and to the        first power of the generic number.

The complex calculation kept secret relates here to the raising to thesecond power of the generic number in order to generate the firstelement of proof. The choice of the common number, chosen at randomduring the transaction by the second entity, does not impair the speedof this transaction.

In general, the complex calculation that can be carried out before thetransaction does not directly involve the private key and its resulttherefore gives no information about the private key.

More particularly, the cryptographic method is noteworthy in that:

-   -   the second element of proof is generated by the first entity by        subtracting, from the random integer, the private key multiplied        by the common number;    -   the linear combination equal to the second exponent comprises a        positive unitary coefficient for the common number and a        positive unitary coefficient for the public key first exponent        multiplied by the second element of proof; and    -   in the verified relationship, the first element of proof is        considered with a unitary exponent power.

Alternatively, and preferably when the common number is chosen by thesecond entity, the cryptographic method is noteworthy in that:

-   -   since the common number is split into a first elementary common        number and a second elementary common number, the second element        of proof is generated by the first entity by subtracting, from        the random integer multiplied by the first elementary common        number, the private key multiplied by the second elementary        common number;    -   the linear combination equal to the second exponent comprises a        zero coefficient for the first elementary common number, a        positive unitary coefficient for the second elementary common        number and a positive unitary coefficient for the public key        first exponent multiplied by the second element of proof; and    -   in the verified relationship, the first element of proof is        considered with an exponent power equal to the first elementary        common number.

The simple subtraction and multiplication operations described abovemake it possible to rapidly calculate the second element of proof withina transaction and to repeat the transaction several times by generatingeach time a second element of proof related to another first element ofproof via a different random number, without giving any informationabout the private key.

Advantageously, the cryptographic method is noteworthy in that thesecond element of proof is calculated modulo an image of the modulus viaa Carmichael function or modulo a multiple of the order of the genericnumber modulo the modulus.

The random integer may be chosen to be very much greater than theprivate key. If the advantage mentioned in the previous paragraph is notapplied, it is necessary for the random integer to be very much greaterthan the value of the private key. Advantageously, in order to reducethe number of operations needed for the exponentiation with the randomnumber as exponent, the random integer is less than an image of themodulus via a Carmichael function or less than a multiple of the orderof the generic number modulo the modulus. Such a random number cannotgive any exploitable information about the private key.

By reducing the size of the second element of proof thus obtained, it ispossible to speed up the calculations to be made by the second entitywithout impairing security.

Also advantageously, the cryptographic method is noteworthy in that thethird exponent is calculated modulo an image of the modulus via aCarmichael function or modulo a multiple of the order of the genericnumber modulo the modulus.

By reducing the size of the third exponent thus obtained, it is possibleto speed up the calculations to be made by the first entity withoutimpairing security.

A value two assigned to the generic number facilitates theexponentiations to any power of the generic number. A small value mayalso be assigned to the generic number that makes it possible todistinguish each first entity, by applying a known hash function to themodulus and to the first exponent of the public key.

An appreciable improvement to the cryptographic method fordistinguishing the first entity is one whereby the generic number istransmitted with the public key, the generic number being equal to asimple number raised to a power modulo the modulus with the private keyas exponent.

All that the first entity then has to do is to raise the simple numberto a power modulo the modulus with the random number as exponent so asto obtain the same result as by raising the generic number to a secondpower modulo the modulus having a third exponent equal to the public keyfirst exponent multiplied by a random integer. By assigning the valuetwo to the simple number, the complex calculation is considerablyspeeded up, whether this is carried out before or during thetransaction.

A further appreciable improvement to the cryptographic method is onewhereby:

-   -   a third entity receives the second element of proof, generates a        third element of proof by raising the generic number to a power        modulo the modulus with the second element of proof as exponent        and sends the third element of proof to the second entity; and    -   the second entity raises the third element of proof to a power        modulo the modulus with the first exponent and multiplies the        result thereof by the generic number raised to a power whose        exponent is the common number in order to verify the        relationship which relates the first element of proof to the        second element of proof.

The third entity makes it possible to relieve the second entity withoutimpairing the integrity of the verification.

Considering an intrusion-protected prover device provided with an RSAprivate key kept secret, in order to generate, during a transaction witha verifier device, a proof whose verification by means of a public keyassociated with said private key makes it possible to guarantee that theprover device is the origin of said proof, said RSA public keycomprising a first exponent and a modulus, the prover device accordingto the invention is noteworthy in that it comprises:

-   -   calculation means designed to generate a first element of proof,        a first calculation of which consumes considerable resources,        can be executed independently of the transaction and to generate        a second element of proof related to the first element of proof        and dependent on a common number specific to the transaction;        and    -   communication means designed to transmit at least the first and        the second elements of proof and designed to transmit said        common number to the verifier device or to receive said common        number therefrom.

In particular, the prover device according to the invention isnoteworthy in that:.

-   -   the calculation means are, on the one hand, designed to generate        a first random number and to raise a generic number to a power        modulo the modulus having an exponent equal to the public key        first exponent multiplied by the random integer; and    -   the calculation means are, on the other hand designed to        generate the second element of proof by taking the difference        between the random integer and the private key multiplied by the        common number.

Alternatively, the calculation means are designed to carry outoperations modulo an image of the modulus via a Carmichael function ormodulo a multiple of the order of the generic number modulo the modulus.

Considering a verifier device for verifying that a proof originates froma prover device provided with an RSA private key kept secret by theprover device, by means of a public key associated with said privatekey, said RSA public key comprising an exponent and a modulus, theverifier device according to the invention is noteworthy in that itcomprises:

-   -   communication means designed to receive a first element of proof        and a second element of proof or a third element of proof, and        to receive or transmit a common number specific to a transaction        within which the first and the second or the third element of        proof are received; and    -   calculation means designed to verify that the first element of        proof is related through a relationship, modulo the modulus,        with a first power of a generic number having a second exponent        equal to a linear combination of the common number and of the        public key first exponent multiplied by the second element of        proof.

In particular, the verifier device is noteworthy in that thecommunication means are designed to receive the second element of proofand in that the calculation means are designed to calculate the secondexponent and said first power of the generic number.

Alternatively, the verifier device is noteworthy in that thecommunication means are designed to receive the third element of proofand in that the calculation means are designed to raise the thirdelement of proof to a power of the public key first exponent in order tomultiply the result thereof by the generic number raised to a secondpower having the common number as exponent.

The invention will be better understood from the illustrative examplesdescribed below with reference to the appended drawings in which:

FIG. 1 shows steps of the method according to the invention foridentifying a first entity;

FIG. 2 shows steps of the method according to the invention for signinga message;

FIG. 3 shows steps of the method according to the invention forauthenticating a message;

FIG. 4 shows a first variant of the authentication method forfacilitating many transactions; and

FIG. 5 shows a second variant of the authentication method involving anintermediate entity.

The embodiment described here is an entity authentication oridentification method. It allows a prover A to convince a verifier B ofits authenticity. This method may be transformed into a method ofauthenticating a message or digital message signature as explainedbelow. Its security relies on the difficulty of factorizing largeintegers. This difficulty is known to those skilled in the art as beingat least as great as the difficulty of the problem on which the securityof the RSA algorithm relies. In one option allowing the verificationtask to be facilitated, the security of the method is equivalent to RSAsecurity.

It will be recalled that a prime number is a number divisible only byone and by itself. It will also be recalled that the Euler function φ(z)of any positive integer z gives the cardinal number of the set ofpositive integers less than z and coprime to z, that is to say having nocommon factor with z other than 1. It will also be recalled that theCarmichael function λ(w) of any positive integer w gives the smalleststrictly positive integer v such that any integer u satisfies therelationship {u^(v)=1 modulo w}, that is to say, as is known, theremainder of the integer division of u^(v) by w is equal to 1.

According to the objective and to the results explained above, thismethod uses RSA keys. In order to constitute a prover device, a firstentity A possesses firstly a public key disclosed to any second entityB, which constitutes a verifier device. The first entity A secondlypossesses a private key kept secret. The public key comprises a modulusn and a first exponent e. The private key comprises a second exponent d.The modulus n is an integer equal to the product of two or more primenumbers. When the number n is a product of two prime numbers p and q,then φ(n)=(p-1)(q-1). Many RSA descriptions specify that the modulus n,the first exponent e and the second exponent d satisfy the equation{ed=1 modulo φ(n)}. It is well known to those skilled in the art thatwhen the equation {ed=1 modulo φ(n)} is satisfied, then the equation{ed=1 modulo λ(n)} is satisfied.

More generally, the method operates with the same level of security forany public key (n,e) associated with a private key d that satisfies theequation {ed=1 modulo λ(n)}.

In all the options, it is assumed that the verifier B already knows allthe public parameters needed to verify that a proof is given by a firstentity, the prover A, namely its identity, its public key, its publickey certificate, etc.

Identification of the entity A by the entity B takes place by iteratingthe protocol described here with reference to FIG. 1 k times. The numberk is a positive integer which, with an integer t less than or equal tothe exponent e, defines a pair of security parameters.

In a first step 9, the entity A generates a first random integer r verymuch greater than d, calculates x=g^(er) (mod n) and sends x to theentity B. In a known manner, the entities A and B are of the computer orchip card type. The integer g is a generic number known by the entitiesA and B. A value of the generic number g, equal to 2 facilitates itsexponentiations. The generic number g may also be a function of theprover's public key, for example g=h(n,e), where h is a hash functionknown to all. The generic number g may also be determined by the entityA and then transmitted with its public key. For example, the entity Araises a simple number G to the power d, the result of which gives thenumber g such that g^(e)(mod n)=G. Since the generic number g iscalculated once and for all by the entity A, the calculation of x issimplified, as in this case x=G^(r)(mod n). A value of the simple numberG equal to 2, facilitating its exponentiations, is more particularlyadvantageous. The expression (mod n) means modulo n, that is to say, asis known, the result of the calculation is equal to the remainder of theinteger division of the result of the operation in question by theinteger n, generally called the modulus. Here, the integer x constitutesa first element of proof, as only the entity that generates the randomnumber r is capable of generating the number x. The random number r isnot communicated by the entity that generates it. From known numbertheory, the number r is chosen to be large enough so that knowledge ofthe generic number g or of the simple number G and of the modulus n doesnot allow the number r to be recovered from the number x.

Receipt by the entity B of the first element of proof x validates atransition 10, which then activates a second step 11.

In step 11, the entity B sends to the entity A an integer c chosen atrandom from within an interval [0,t-1] called the security interval.Thus, the number c is common to the entities A and B and also to anyother entity infiltrating the dialogue between the entities A and B.

Receipt of the common number c by the entity A validates a transition12, which then activates a third step 13.

In step 13, the entity A calculates y=r−dc. Thus, the entity A generatesan image y of the private key in the form of a linear combination of thenumber r and of the number d, the multiplicative coefficient of which isthe common number c. Since the random number r is very large and notcommunicated, knowledge of the image y does not allow the product dc tobe recovered and consequently prevents recovery of the private keynumber d, which therefore remains kept secret by the entity A. Sinceonly the entity A knows the number d, only the entity A can generate animage that integrates the common number c.

Considering the protocols described here, an imposter is an entity thatattempts to pass off as the entity A without knowing the secret of theprivate key d. It can be demonstrated that, when the factorization ofthe integers is a difficult problem, the probability of the imposter notbeing detected is equal to 1/kt. The security of these protocols istherefore at least as great as that of RSA. For many applications, theproduct kt may be chosen to be relatively small within an authenticationcontext, for example of the order of 2¹⁶.

Any values of k and t of the pair of security parameters are possible.Preferably, k=1 and t=e, in which case the probability defined above isequal to 1/e and there is only one verification equation to be applied.A standard RSA public exponent value such that e=65537, i.e. 2¹⁶+1, issuitable for many applications.

Receipt by the entity B of the second element of proof y validates atransition 16, which then activates a fourth step 17.

In step 17, the entity B verifies that g^(ey+c)=x(mod n). Although, asseen above, the second element of proof communicates no informationabout the private key d, the second element of proof y is such that:ey+c=e(r−dc)+c.

Therefore, by raising the generic number g to a power whose exponent isa linear combination of the common number c and the product ey, then:g ^(ey+c) =g ^(er)(g ^(−ed+1))^(c) =x(mod n).

Moreover, although according to number theory the generic number gcommunicates no information about the private key, the generic number gis in fact such that:(g ^(dc))^(e) =g ^(c)(mod n).

Thus, without communicating r at any time, the equality:(g ^(y))^(e) g ^(c)=(g ^(r))^(e) =x(mod n)certifies that the entity A knows d.

This verification is speeded up by calculating in advance, at the end ofstep 11 or even before it:v′=g ^(c)(mod n).

Thus, in the fourth step, B no longer has to verify: g^(ey)v′=x(mod n).When B receives y, it is advantageous for B to calculate once and forall G=g^(e)(mod n) so as to verify, in step 11, G^(y)v′=x(mod n). Otherpossible ways of optimizing the verification calculation will be givenin the rest of the description.

Many different ways of optimizing this basic protocol are possible. Forexample, x=g^(er) (mod n) may be replaced with x=g^(−er)(mod n), inwhich case the verification equation becomes g^(ey+c)x=1(mod n).

Again, for example, it is possible to replace c with a pair of positiveor negative integers (a,b) and to replace y=r−dc with y=ar−bd, in whichcase the verification equation becomes g^(ey+b)=x^(a)(mod n).

If the prime number factors of the modulus n are known from A, then thefirst step may be speeded up using what is called the “Chineseremainders” technique.

The first step may be carried out in advance. Moreover, the k values ofx may form part of A's public key, in which case the protocol commencesdirectly at the second step. These values of x may also be calculated byan external entity worthy of confidence and stored in the entity A.

When the precalculated values of the first element of proof are joinedto the public key, the protocol within a transaction commences directlywith step 11. It is the entity B which decides on the number k ofiterations of steps 11 and 13 for each of which the entity B verifies,in step 17, that there exists a value of the first element of proof xthat is equal to V. The entity A is again the only one to know therandom numbers that correspond to a first element of proof.

To be able to store a maximum number of precalculated values in a memoryof the entity A, particularly when the entity A is integrated in amicrocircuit of a chip card, in the case of a credit card or a mobiletelephone, the number x may be replaced with a value f(x) where f is afunction, for example equal to (or including) a cryptographic hashfunction, in which case the verification equation becomes:f(g^(ey+c)(mod n))=f(x).

All or some of the above modifications may be combined.

One useful improvement to the method consists in storing an image λ(n)of the modulus n via the Carmichael function in the memory of the entityA.

So as to reduce the size of the second element of proof y, in order toreduce the verification time without thereby modifying the verificationequation, the second element of proof y is calculated modulo λ(n) instep 13. In this method of implementation, the random number r isadvantageously chosen to be less than λ(n) in step 11. More generally,the expression {y=r−dc} may be replaced with any expression{y=r−dc−iλ(n)}, where i is any integer, preferably a positive integer.

So as to speed up execution of step 11, prior to the exponentialoperation applied to the generic number g, the product er is calculatedmodulo λ(n).

An equivalent means consists in replacing λ(n) with the order of gmodulo n, that is to say the smallest non zero integer l such thatg^(l)=1 modulo n, or more generally by any multiple of this order l.

Referring to FIG. 5, the verification calculation executed by the entityB may also be partially delegated to any entity other than B, withoutany loss of security. In this case, A supplies the second element ofproof y to this other entity C. The entity C generates a third elementof proof Y from the second element of proof y and sends the thirdelement of proof Y to the entity B. Firstly, knowing y provides noinformation about d, since the product dc is “masked” by the randomnumber r. Secondly, it is virtually impossible for a fraudster tomanufacture Y from all parts, that is to say without the second elementof proof y being exclusively generated by the first entity A. This isbecause, given n, e, x and c, it is unfeasible to find a value of Y thatsatisfies the verification equation of the fourth step if thefactorization is a difficult problem.

The public key is the pair (n,e) and the authentication oridentification of the entity A by the entity B takes place by iteratingthe protocol described here k times, where C denotes any entity otherthan B. Compared with other protocols of the prior art in which, forexample, in the discrete logarithm case the public key is a quadruplet(n, e, g, v), the reduction in number of components of the public keyreduces the number of operations to be carried out without impairingsecurity. Advantageously, according to the invention, the public keyused here is of RSA type, the protocol described being easily integratedinto a widely exploited RSA context.

The method is carried out in a manner identical to that described withreference to FIG. 1 up to step 13. With reference to FIG. 5, step 13 ismodified in that the entity A sends the image y of the private key d tothe intermediate entity C. As seen above, the image y gives noinformation about the private key.

Receipt by the entity C of the image y validates a transition 14, whichtherefore activates the fifth step 15.

In step 15, it is in this case the intermediate entity C that calculatesthe third element of proof Y=g^(y)(mod n) and sends Y to B.

The procedure then continues in the same way as that described withreference to FIG. 1 via the transition 16 and step 17. However, step 17is modified in that the second entity B now has only to raise the thirdelement of proof Y to a power of exponent e and to multiply the resultthereof by g^(c)(mod n).

Physically, the intermediate entity C is, for example, incorporated intoa chip, which is not necessarily security protected, contained in thesecurity device of the prover, such as a chip card, in the securitydevice of the verifier, such as a payment terminal, or else in anotherdevice, such as a computer. The security lies in the fact that theentity C cannot by itself find a suitable value Y, that is to say suchthat the verification equation is satisfied.

The protocols described above may be converted into messageauthentication protocols or into digital signature schemes.

FIG. 3 shows steps of a method that makes it possible to authenticatethat a message M received by the second entity B was sent by the firstentity A.

In a first step 20, the entity A generates a first random integer r verymuch greater than d and calculates a potential of proof P using aformula such that P=g^(er)(mod n) as in step 9 in the case of the firstelement of proof. Instead of sending P to the entity B, the entity Agenerates a first element of proof x by applying, to the message M,jointly with the number P, a function h equal, for example, to acryptographic hash function or including a cryptographic hash functionsuch that:x=h(P,M).

Next, the entity A sends the message M and the first element of proof xto the entity B.

Receipt of the message M and of the first element of proof x by theentity B validates a transition 21, which activates a second step 11.The procedure then continues in the same way as that described withreference to either FIG. 1 or FIG. 5.

In step 11, the entity B sends the entity A an integer c chosen atrandom from within an interval [0,t-1] called the security interval.Thus, the number c is common to the entities A and B and also to anyother entity infiltrating the dialogue between the entities A and B.

Receipt by the entity A of the common number c validates a transition12, which then activates a third step 13.

In step 13, the entity A calculates y=r−dc. Thus, the entity A generatesan image y of the private key in the form of a linear combination of thenumber r and the number d, the multiplicative coefficient of which isthe common number c. Since the random number r is very large and notcommunicated, knowledge of the image y does not allow the product dc tobe recovered, and consequently does not allow recovery of the privatekey number d that therefore remains kept secret by the entity A. Sinceonly the entity A knows the number d, only the entity A can generate animage that integrates the common number c. In the example, shown in FIG.3, the entity A sends the private key image y to the entity B, but mayalso send it to an intermediate entity C as in FIG. 5. As was seenpreviously, the image y gives no information about the private key.

Receipt of the image y by the entity B validates a transition 16, whichthen activates the fourth step 22.

In step 22, the entity B calculates, as in step 17, a verification valueV by means of the formula:V=g ^(c+ey)(mod n)and then verifies the match of the second element of proof with thefirst element of proof by means of the verification equation:h(V,M)=x.

In the variant using a function f, the verification equation becomesh(f(g^(c+ey)(mod n)),M)=x.

In the variant using a function f and involving the intermediate entityC, the verification equation becomes h(f(Y^(e)g^(c)(mod n)),M)=x.

Unlike the message authentication, the message signature is independentof the sender in the sense that the signature of a message M by theentity A remains valid if the entity B receives the message M from anyother entity. A size not less than twenty-four bits for the public keyexponent e is recommended in order to guarantee an acceptable level ofsecurity.

Referring to FIG. 2, in a first step 18, the entity A generates a firstrandom integer r and calculates a potential of proof P=g^(er)(mod n).

In a second step 23 directly after step 1, the entity A generates afirst element of proof x by applying, to the message M, jointly with thenumber P, a function h, for example equal to a cryptographic hashfunction or including a cryptographic hash function, such that:x=h(P,M).

In step 23, the entity A generates the common number c taken equal tothe first element of proof x.

In a third step 24 directly after step 23, the entity A calculatesy=r−dc. Thus, the entity A generates an image y of the private key inthe form of a linear combination of the number r and the number d, themultiplicative coefficient of which is the common number c. Since therandom number r is very large and not communicated, knowing the image ydoes not allow the product dc to be recovered and consequently does notallow recovery of the private key number d, which therefore remains keptsecret by the entity A. Since only the entity A knows the number d, onlythe entity A can generate an image that integrates the common number c.As was seen above, the image y gives no information about the privatekey. The pair (x,y) constitutes a signature of the message M since thispair integrates both the message M and a private key element thatguarantees that the entity A is the source of this signature.

The entity A then sends the message M and the signature (x,y) to theentity B or to any other entity that will subsequently be able to sendthe signed message to the entity B.

It should be noted that the message M is not necessarily sent at step24. The message M may be sent in step 19 independently of its signature,since any modification of the message M would have a negligible chanceof being compatible with its signature.

Receipt by the entity B of the message M with its signature (x,y),originating from the entity A or from any other entity, validates atransition 25, which then activates a step 26.

In step 26, the entity B takes the common number c as being equal to thefirst element of proof x.

In step 26, the entity B calculates, as in step 17, a verification valueV by means of the formula:V=g ^(c+ey)(mod n)and then verifies the match of the second element of proof with thefirst element of proof by means of the verification equation:h(V,M)=x

In this case, the match with the first element of proof is verified bythis equality owing to the fact that the common number c generated instep 23 itself matches the first element of proof.

In the variant using a function f, the verification equation becomesh(f(g^(c+ey)(mod n)),M)=x.

One particularly efficient implementation of the method of the inventionwill now be explained with reference to FIG. 4.

A step 27 generates, and stores in a memory of the entity A, one or morerandom number values r(j′), associated with each of which is a potentialof proof P(j′). The index j′ serves to establish, in a table, acorrespondence between each random number r(j′) and the associatedpotential of proof P(j′). Each random number r(j′) is generated so as tobe either substantially greater than the private key d, or less than orequal to λ(n), as explained above. Each potential of proof P(j′) iscalculated as a power of the simple number G with r(j′) as exponent.Step 27 is executed for each row of index j′ by incrementing modulo alength k′ the index j′ after each calculation of P(j′). The length k′represents the number of rows of the table such that, with j′=0 indexingthe first row of the table, the executions of step 27 stop when j′becomes zero again or they continue in order to renew the valuescontained in the table. The length k′ has a value equal to or greaterthan k.

The calculation of P(j′) is carried out by the entity A or by aconfidential entity that receives, from the entity A, the random numberr(j′) or the value λ(n) in order to choose random numbers r(j′) lessthan or equal to λ(n). When the calculation of P(j′) is carried out bythe entity A, each execution of step 27 is activated by a transition 28,which is validated when digital processing means of the entity A aredetected free.

The simple number G is determined in an initial step 29. When thegeneric number g is set, and therefore known to all, the entity A simplyneeds to communicate the public key (n,e) and the simple number G iscalculated so that G=g^(e) modulo n. When the generic number g is notset, the entity A chooses a value of G, for example G=2 and generatesg=G^(d) modulo n. The generic number g is then transmitted with thepublic key. The index j′ is set to zero so as to start a first executionof step 27 for the first row of the table. Each end of execution of step27 is connected back to the output of step 29 in order to scan thetransition 28 and, with priority, the transitions 40, 41, 42.

The transition 42 is validated by an identification transaction, whichthen activates a series of steps 43 and 45.

Step 43 positions an iteration index j, for example equal to the currentindex j′ of the table containing the random numbers and the associatedpotentials of proof.

In step 45, the entity A generates the first element x by simply readingthe potential of proof P(j) from the table. During the transactiondetected by validation of the transition 42, generation of the firstelement of proof therefore requires no power calculation. The firstelement of proof x is thus rapidly transmitted.

A transition 1 is validated by receipt of the common number c, whichthen activates a step 2.

In step 2, the entity A generates the second element of proof y asexplained above. Since the operations are limited to a fewmultiplications and additions or subtractions, they require littlecomputation time. The second element of proof y is thus transmittedrapidly after receipt of the common number c.

In step 2, the index p is increased by a unitary increment so as torepeat step 45 and step 2, as long as j is detected in a transition 3,different from j′ modulo k, until a transition 4 detects that j is equalto j′ modulo k, in order to return to the output of step 29 after kexecutions of step 45.

The transition 41 is validated by a signature transaction of the messageM. The transition 41 then activates a series of steps 44 and 46. Step 44positions an iteration index j, for example equal to the current indexj′ of the table containing the random numbers and the associatedpotentials of proof. The message M is transmitted at step 44.

In step 46, the entity A generates the first element of proof x byapplying the standard hash function h( ) to the message M and to theresult of simply reading the potential of proof P(j) from the table. Thecommon number c is taken equal to the first element of proof x.

In step 46, the entity A generates the second element of proof y asexplained above. Since the operations are limited to a fewmultiplications and additions or subtractions, they require littlecomputation time. During the transaction detected by validation of thetransition 41, generation of the signature consisting of the firstelement of proof x and the second element of proof y, therefore requiresno power calculation. The signature (x,y) is thus rapidly transmitted.

Optionally in step 46, the index j is increased by a unitary incrementso as to repeat step 46 as long as j is detected in a transition 3,different from j′ modulo k, until a transition 4 detects that j is equalto j′ modulo k in order to return to the output of step 29 after kexecutions of step 46.

The transition 40 is validated by a transaction for authenticating themessage M. The transition 40 then activates a series of steps 43 and 47.

Step 43 positions an iteration index j, for example equal to the currentindex j′ of the table containing the random numbers and the associatedpotentials of proof.

In step 47, the entity A transmits the message M and the first elementof proof x. The first element of proof x is generated by applying thestandard hash function h( ) to the message M and to the result of simplyreading the potential of proof P(j) from the table.

During the transaction detected by validation of the transition 40,generation of the first element of proof therefore requires no powercalculation. The first element of proof x is thus rapidly transmitted.

A transition 1 is validated by receipt of the common number c, whichthen activates a step 48.

In step 48, the entity A generates the second element of proof y asexplained above. Since the operations are limited to a fewmultiplications and additions or subtractions, they require littlecomputation time. The second element of proof y is thus rapidlytransmitted after receipt of the common number c.

In step 48, the index p is increased by a unitary increment so as torepeat step 47 and step 48 as long as j is detected in a transition 3,different from j′ modulo k, until a transition 4 detects that p is equalto j′ modulo k in order to return to the output of step 29 after kexecutions of step 47.

Referring to FIG. 6, the entities A, B and C described above are formedphysically by a prover device 30, a verifier device 31 and anintermediate device 32 respectively. The prover device 30 is for examplea microprocessor card, such as a credit card or a mobile telephonesubscriber identification card. The verifier device 31 is for example abank terminal or an electronic commerce server, or mobiletelecommunication operator equipment. The intermediate device 32 is forexample a microprocessor card extension, a credit card read terminal ora mobile telephone electronic card.

The prover device 30 includes communication means 34 and calculationmeans 37. The prover device 30 is protected from intrusion. Thecommunication means 34 are designed to transmit the first element ofproof x, in accordance with step 9, 45 or 47, described with referenceto FIG. 1, 3 or 4, the second element of proof y, in accordance withstep 13 described with reference to FIGS. 1 and 3, at step 24 describedwith reference to FIG. 2 or at steps 2 and 48 described with referenceto FIG. 4, the message M, in accordance with steps 19, 20, 44 or 47described with reference to FIGS. 1 to 4, or the common number c, inaccordance with step 24, 46 described with reference to FIGS. 2 and 4,depending on the version of the method to be implemented. Thecommunication means 34 are also designed to receive the common number c,in accordance with the transition 12 or 1 described with reference toFIGS. 1 to 4, when versions of the method to be implemented correspondto identification or to authentication. For a version of the method tobe implemented corresponding to a signature, the communication means 34do not need to be designed to receive the common number c.

The calculation means 37 are designed to execute steps 9 and 13described with reference to FIG. 1 or 5, steps 18, 19, 23 and 24described with reference to FIG. 2, and steps 13 and 20 described withreference to FIG. 3 or the steps described with reference to FIG. 4,depending on the version of the method to be implemented. Thecalculation means 37 comprise, in a known manner, a microprocessor andmicroprograms or combinatory circuits dedicated to the calculationsdescribed above.

The verifier device 31 includes communication means 35 and calculationmeans 38. The communication means 35 are designed to transmit one ormore common numbers c, in accordance with step 11 described withreference to FIGS. 1, 3 and 5, when versions of the method to beimplemented correspond to authentication. For a version of the method tobe implemented corresponding to a signature, the communication means 35have no need to be designed to transmit the common number c. Thecommunication means 35 are also designed to receive the two elements ofproof x and y, in accordance with the transitions 10 and 16 describedwith reference to FIGS. 1 to 3 and 5, a message M with the first elementof proof x and the second element of proof y, in accordance with thetransitions 21 and 16 described with reference to FIG. 3, or the secondelement of proof and the message M with one or more common numbers c andthe private key image y, in accordance with the transitions 2 and 8described with reference to FIG. 5.

The calculation means 38 are designed to execute steps 11 and 17described with reference to FIGS. 1 and 5, step 26 described withreference to FIG. 2 or steps 11 and 22 described with reference to FIG.3, depending on the version of the method to be implemented. Thecalculation means 38 comprise, in a known manner, a microprocessor andmicroprograms or combinatory circuits dedicated to the calculationsdescribed above.

The intermediate device 32 includes communication means 36 andcalculations means 39. The communication means 36 are designed totransmit the third element of proof Y in accordance with step 15described with reference to FIG. 5. The communication means 36 are alsodesigned to receive the second element of proof y in accordance with thetransition 14 described with reference to FIG. 5.

The calculation means 39 are designed to execute step 15 described withreference to FIG. 5. The calculation means 39 comprise, in a knownmanner, a microprocessor and programs or combinatory circuits dedicatedto the calculations described above.

As an improvement, the calculation and communication means describedabove are designed to repeat the execution of the steps described abovek times, each time for a first element of proof and a second element ofproof that are different.

1. A cryptographic method for a transaction whereby a first entitygenerates, by means of an RSA private key a proof verifiable by a secondentity by means of an RSA public key associated with said private key,said public key comprising a first exponent and a modulus, the methodcomprising the steps of: generating a first element of proof at thefirst entity, whereby calculation of said first element of proof isexecutable independently of the transaction; generating, at the firstentity, a second element of proof related to the first element of proofand dependent on a common number shared by the first and second entitiesspecifically for the transaction, whereby calculation of said firstelement of proof consumes substantially less resources than thecalculation of said first element of proof; and verifying, at the secondentity that the first element of proof is related through a relationshipwith a first power modulo the modulus of a generic number having asecond exponent equal to a linear combination of at least part of thecommon number and of the first exponent of the public key multiplied bythe second element of proof.
 2. The cryptographic method as claimed inclaim 1, wherein for identifying the first entity, the first element ofproof is generated by the first entity by raising the generic number toa second power modulo the modulus having a third exponent equal to thefirst exponent of the public key multiplied by a random integer keptsecret by the first entity, wherein the common number is chosen randomlyfrom within a security interval [0,t 1] and then sent by the secondentity after having received the first element of proof, and wherein therelationship verified by the second entity is an equality relationshipbetween a power of the first element of proof and the first power of thegeneric number.
 3. The cryptographic method as claimed in claim 1,wherein for signing a message, the first element of proof is generatedby the first entity by applying a hash function to the message and tothe generic number raised to a second power modulo the modulus having athird exponent equal to the first exponent of the public key multipliedby a random integer kept secret by the first entity, wherein the commonnumber is equal to the first element of proof, and wherein therelationship verified by the second entity is an equality relationshipbetween the first element of proof and a result of said hash functionapplied to the message and to the first power of the generic number. 4.The cryptographic method as claimed in claim 1, wherein forauthenticating that a message received by the second entity comes fromthe first entity, the first element of proof is generated by the firstentity by applying a hash function to the message and to the genericnumber raised to a second power modulo the modulus having a thirdexponent equal to the first exponent of the public key multiplied by arandom integer kept secret by the first entity, wherein the commonnumber is chosen at random from within a security interval [0,t 1] andthen sent by the second entity after having received the first elementof proof, and wherein the relationship verified by the second entity isan equality relationship between the first element of proof and a resultof said hash function applied to the message and to the first power ofthe generic number.
 5. The cryptographic method as claimed in claim 4,wherein the second element of proof is generated by the first entity bysubtracting, from the random integer, the private key multiplied by thecommon number, wherein the linear combination equal to the secondexponent comprises a positive unitary coefficient for the common numberand a positive unitary coefficient for the first exponent of the publickey multiplied by the second element of proof, and wherein, in theverified relationship, the first element of proof is considered with aunitary exponent power.
 6. The cryptographic method as claimed in claim4, wherein the common number comprises first and second elementarycommon numbers, wherein the second element of proof is generated by thefirst entity by subtracting, from the random integer multiplied by thefirst elementary common number, the private key multiplied by the secondelementary common number, wherein the linear combination equal to thesecond exponent comprises a zero coefficient for the first elementarycommon number, a positive unitary coefficient for the second elementarycommon number and a positive unitary coefficient for the first exponentof the public key multiplied by the second element of proof, andwherein, in the verified relationship, the first element of proof isconsidered with an exponent power equal to the first elementary commonnumber.
 7. The cryptographic method as claimed in claim 6, wherein thesecond element of proof is calculated modulo an image of the modulus viaa Carmichael function or modulo a multiple of the order of the genericnumber modulo the modulus.
 8. The cryptographic method as claimed inclaim 6, wherein the random number is substantially greater than thevalue of the private key.
 9. The cryptographic method as claimed inclaim 7, wherein the random integer is less than an image of the modulusvia a Carmichael function or less than a multiple of the order of thegeneric number modulo the modulus.
 10. The cryptographic method asclaimed in claim 9, wherein the third exponent is calculated modulo animage of the modulus via a Carmichael function or modulo a multiple ofthe order of the generic number modulo the modulus.
 11. Thecryptographic method as claimed in claim 1, wherein the generic numberis transmitted with the public key, the generic number being equal to asimple number raised to a power modulo the modulus with the private keyas exponent.
 12. The cryptographic method as claimed in claim 1, furthercomprising the steps of: receiving the second element of proof at athird entity; generating a third element of proof at the third entity byraising the generic number to a power modulo the modulus with the secondelement of proof as exponent; sending the third element of proof to thesecond entity; and at second entity, raising the third element of proofto a power of first exponent, modulo the modulus, and multiplying theresult thereof by the generic number raised to a power whose exponent isthe common number in order to verify the relationship relating the firstelement of proof to the second element of proof.
 13. A prover devicehaving an RSA private key kept secret and protected against intrusions,for generating, during a transaction with a verifier device, a proofwhose verification by means of a public key associated with said privatekey ensures that said prover device has originated said proof, said RSApublic key comprising a first exponent and a modulus, the prover devicecomprising: calculation means for generating a first element of proofcompletely or partly independently of the transaction and to generate asecond element of proof related to the first element of proof anddependent on a common number specific to the transaction; andcommunication means for transmitting at least the first and secondelements of proof and for transmitting said common number to theverifier device or receiving said common number from the verifierdevice.
 14. The prover device as claimed in claim 13, wherein thecalculation means are, on the one hand, designed to generate a firstrandom number and to raise a generic number to a second power modulo themodulus having a third exponent equal to the first exponent of thepublic key multiplied by the random integer; and wherein the calculationmeans are, on the other hand designed to generate the second element ofproof by taking the difference between the random integer and theprivate key multiplied by the common number or, where the common numberis split into two elementary common numbers, by subtracting from therandom integer multiplied by the first elementary common number, theprivate key multiplied by the second elementary common number.
 15. Theprover device as claimed in claim 14, wherein the calculation means aredesigned to carry out operations modulo an image of the modulus via aCarmichael function or modulo a multiple of the order of the genericnumber modulo the modulus.
 16. A verifier device for verifying that aproof originates from a prover device provided with an RSA private keykept secret by the prover device, by means of a public key associatedwith said private key, said RSA public key comprising an exponent and amodulus, the verifier device comprising: communication means forreceiving a first element of proof and a second element of proof or athird element of proof, and for receiving or transmitting a commonnumber specific to a transaction within which the first and the secondor the third element of proof are received; and calculation means forverifying that the first element of proof is related through arelationship, modulo the modulus, with a first power of a generic numberhaving a second exponent equal to a linear combination of at least partof the common number and of the first exponent of the public keymultiplied by the second element of proof.
 17. The verifier device asclaimed in claim 16, wherein the communication means are designed toreceive the second element of proof and wherein the calculation meansare designed to calculate the second exponent and said first power ofthe generic number.
 18. The verifier device as claimed in claim 16,wherein the communication means are designed to receive the thirdelement of proof and wherein the calculation means are designed to raisethe third element of proof to a power of the first exponent of thepublic key in order to multiply the result thereof by the generic numberraised to a second power having the common number as exponent.
 19. Thecryptographic method as claimed in claim 2, wherein the second elementof proof is generated by the first entity by subtracting, from therandom integer, the private key multiplied by the common number, whereinthe linear combination equal to the second exponent comprises a positiveunitary coefficient for the common number and a positive unitarycoefficient for the first exponent of the public key multiplied by thesecond element of proof, and wherein, in the verified relationship, thefirst element of proof is considered with a unitary exponent power. 20.The cryptographic method as claimed in claim 19, wherein the secondelement of proof is calculated modulo an image of the modulus via aCarmichael function or modulo a multiple of the order of the genericnumber modulo the modulus.
 21. The cryptographic method as claimed inclaim 20, wherein the random integer is less than an image of themodulus via a Carmichael function or less than a multiple of the orderof the generic number modulo the modulus.
 22. The cryptographic methodas claimed in claim 19, wherein the third exponent is calculated moduloan image of the modulus via a Carmichael function or modulo a multipleof the order of the generic number modulo the modulus.
 23. Thecryptographic method as claimed in claim 3, wherein the second elementof proof is generated by the first entity by subtracting, from therandom integer, the private key multiplied by the common number, whereinthe linear combination equal to the second exponent comprises a positiveunitary coefficient for the common number and a positive unitarycoefficient for the first exponent of the public key multiplied by thesecond element of proof, and wherein, in the verified relationship, thefirst element of proof is considered with a unitary exponent power. 24.The cryptographic method as claimed in claim 23, wherein the secondelement of proof is calculated modulo an image of the modulus via aCarmichael function or modulo a multiple of the order of the genericnumber modulo the modulus.
 25. The cryptographic method as claimed inclaim 24, wherein the random integer is less than an image of themodulus via a Carmichael function or less than a multiple of the orderof the generic number modulo the modulus.
 26. The cryptographic methodas claimed in claim 23, wherein the third exponent is calculated moduloan image of the modulus via a Carmichael function or modulo a multipleof the order of the generic number modulo the modulus.
 27. Thecryptographic method as claimed in claim 2, wherein the common numbercomprises first and second elementary common numbers, wherein the secondelement of proof is generated by the first entity by subtracting, fromthe random integer multiplied by the first elementary common number, theprivate key multiplied by the second elementary common number, whereinthe linear combination equal to the second exponent comprises a zerocoefficient for the first elementary common number, a positive unitarycoefficient for the second elementary common number and a positiveunitary coefficient for the first exponent of the public key multipliedby the second element of proof, and wherein, in the verifiedrelationship, the first element of proof is considered with an exponentpower equal to the first elementary common number.
 28. The cryptographicmethod as claimed in claim 27, wherein the second element of proof iscalculated modulo an image of the modulus via a Carmichael function ormodulo a multiple of the order of the generic number modulo the modulus.29. The cryptographic method as claimed in claim 28, wherein the randominteger is less than an image of the modulus via a Carmichael functionor less than a multiple of the order of the generic number modulo themodulus.
 30. The cryptographic method as claimed in claim 27, whereinthe third exponent is calculated modulo an image of the modulus via aCarmichael function or modulo a multiple of the order of the genericnumber modulo the modulus.